Since my internal hard drives are encrypted it didn’t make sense to back up all of that data to an unencrypted external drive. I’d read Uwe Hermann’s excellent how-to article on disk encryption, but he didn’t cover setting up an LVM partition, which I always use so I can change drive volume sizes on the fly.

This is what I did to set up an external encrypted drive with LVM on an Ubuntu system:

Open a terminal

Get a root prompt:

sudo /bin/bash

Watch the system log:

tail -f /var/log/messages

Attach the external drive. The system log tells me that it was detected as /dev/sdc.

Check the drive for bad blocks (takes a couple of hours):

badblocks -c 10240 -s -w -t random -v /dev/sdc

Write random data to the entire drive. This step takes all night, but it ensures that never-written drive space can’t be differentiated from encrypted data if someone ever tries to crack the drive. (If you’re going to do this, you might as well do it right.)

shred -v -n 1 /dev/sdc

Create one big LVM partition on the drive using fdisk. Set up one big primary partition /dev/sdc1, set the tag to system id “8e” LVM, and write the changes to disk:

At this point you have a device named /dev/xbackup/backupvol, so create a filesystem on the logical volume:

mkfs.ext4 /dev/xbackup/backupvol

Mount the volume:

mount /dev/xbackup/backupvol /mnt/backup

To get the volume to mount automatically at boot time add this line to your /etc/fstab file:

/dev/xbackup/backupvol /mnt/backup ext4 defaults 0 5

To be prompted for the decryption key / passphrase at boot time first get the drive’s UUID:

ls -l /dev/disk/by-uuid

(In my example I use the UUID for /dev/sdc1)

Then add this line to the /etc/crypttab file:

backupexternal UUID=[the UUID of the drive] none luks

That’s it. You now have an external, encrypted hard drive with LVM installed. You’ve created one 500GB volume that uses half the disk, leaving 500GB free for other volumes, or for expanding the first volume.

14 thoughts on “Adding an external encrypted drive with LVM to Ubuntu Linux”

Everything is working as expected. However, if i turn my external drive off while the OS is running, I’m left with a stale vg and crypt mapping.

I finally figured out how to get rid of the stale lvm mapping (sudo vgchange -a n vg_bak_crypt, sudo vgchange -a n vg_bak_crypt), but the mapping that was setup via crypttab is still lingering (/dev/mapper/ext_bak). Is there anyway to get ride of that?

More to the point, what else do I need to do/change in order to allow turning the drive off and one while the OS is running and having it remap everything correctly?

to elaboarte…here is what I’m seeing in the output of pvs after turning the drive off and back on…If I reboot with the drive on….all will be well, but I’d like to be able to turn it off an on without rebooting if possible…

Note: I think the issue may have to do with the fact that the hd dev name changes from sdh to sdi when i turn it off and back on…but then I suspect there may be more too it as well…

In my case if my computer is powered then the external drive is powered, because I want it there for unattended backups. However, I’ve also done this for drives that I want to be able to attach and detach at any time.

If you want to be able to power the drive on or off any time, do not add the drive to /etc/fstab or /etc/cryptab. Also, DO NOT USE vgremove! That deletes the volume group, destroying your data. You basically want to unmount the drive and then turn off the crypto layer in order to detach the drive.

Follow the steps above through step #14. That gives you a mounted, encrypted drive. To unmount:

Good guide, but beware this is no longer applicable in Ubuntu 12.
It will work the first time, but after a reboot none of the created devices will be available, and regaining access to your data is tricky, to say the least.

ThreePercenter: I’m using this method with the latest versions of both Ubuntu and OpenSUSE. You can add the drive to cryptab and fstab or manually run the cryptsetup/vgchange/mount commands manually, it should work either way.